Take a look at Web3 wallet security procedures

元宇宙之道 view 17294 2022-1-21 10:00
share to
Scan QR code with WeChat

There are thousands of ways and safeties to choose from.

1) Don't share keys 2) Store keys offline

3) Separation improvements and experiments (airdrop and core cost isolation)

4) Do not download software from unknown sources. 5) Immediate approval.

6) Before approval, check the security of the contract

7) Pay special attention to safety when receiving airdrops and perks

8) Beware of unknown users and software from Discord.

events

*This article is about 2700 words and takes about 10-20 minutes to read.

On New Year's Day 2022, Xiao C wanted to write the numbers and continue testing web3js' chain contract business. Suddenly my last number (bsc channel) changed back to 0 in metamask and I found that I still had 100 USD in my account from the day before and after confirming the change I see:

I ran away, where did the money go? ?

the story

Born from technology, Xiao C learns about blockchain development.As a developer I was very careful and often run it on a test network and send it to a legit website after running., but don't knowThe whole industry is still in a relatively chaotic phase., numbness and routine lead to losses.

How did the loss occur?

At the end of 2021, it is interesting that Xiao C is taken into account.(This account has many active accounts), he traced some of his activities on the channel and then found the project very interesting.(High annual return), and intentionally connect to the metamask, then complete the authorization.A typical Web3 job is this process, so you just need to approve and edit it.

However, a shock occurred. The entire website freezes immediately after clicking.(Actually the thief stole money when the card died), no response and Xiao C didn't really do it at the time and closed the site and went to do something else.

About a day later, when Xiao C returned to development,I checked the details and made sure that all funds in the account were removed.Your balance will be credited in full..

Comments

How did the thief transfer all the money to the Small C account?

results:As long as you agree, you can trade all that money without your personal account.

Xiao C has issues with getting phishing sites approved, so they tracked the site. Therefore, it is possible to keep a history of infection.

从一个钱包被盗的案例 探讨Web3的安全指南

As you can see in the image, you can see that the contract was agreed in advance, and the phishing contract allowed to mine BUSD on this account, and there is no limit on more .

Why BUSD? Xiao C recalled that the busd was selected by default when accessing this phishing site, and after checking the website linked to the wallet, it is believed that the thief had already filtered out the tokens with the maximum amount on the account .

Xiao C then considers it a new exchange contract with annual income and will continue to operate as intended. After approval, the site is immediately frozen.

After about 10 seconds, after approval, the return and the direct contract directly convert to BUSD tokens.

I then checked the authorization files.

从一个钱包被盗的案例 探讨Web3的安全指南

Default, is the metamask received by default,

MDR

Converted to a number, it is 1.157920892373162 times 10 to 59th force. oftenUnderstand that the exchange is not limitedThis means that this activation permission allows this agreement to manage my account tokens permanently.Seeing this made my back shiver. Because I have already ordered several times and will never see it.

The hacker then controls the location of the wallet, which gives them control over how the contract works, when the contract begins, and steals money. then my friendBe careful when clicking the meta mask to confirm later..

Xiao C confirmed that the thief already has 3W USD worth of tokens in this account and there are still victims exchanging money.However, there is no way to attack the blockchain, and it is impossible to know who this hacker is.

problems arise

Where is the problem?

Because I discovered blockchain recently. Xiao C gave a rough idea of ​​how fishing is, the goal of harming others is important, and the goal of protecting others is important. If you are interested, you can check:

always contagious

Case 1: User A direct transfer converts BUSD to User B

Most contracts consider the following logic:

1) Check the balance of User A's account balance 2) If the conversion is initiated by User A

The procedure is as follows:

从一个钱包被盗的案例 探讨Web3的安全指南

always promise changes

This is the process we usually trade using pancake swaps, uni swaps, etc.

Case 2: Token exchange on Swap User’s Token Exchange (BUSD to WBNB) Procedure per contract:

1) Even if User A's account balance has enough BUSD (e.g. the exchange agreement allows the account to be A's BUSD tokens)

2) The exchange rate will take 500 BUSD from account A and put it into the contract pool (assuming the exchange rate is 1:500).

3) When completed, the contract transfers 1 BNB to account A.

2) 3) Points, contracts control tokens work. This means that the contract can be passed to us and start working directly on the tokens in our account.

从一个钱包被盗的案例 探讨Web3的安全指南

fishing contract

Let's look at the traceback first.

从一个钱包被盗的案例 探讨Web3的安全指南

For regular exchanges, the exchange and the customers who fulfilled the contract must be the same person. That is, (1) and (2) in the figure above must have been started by the same person. And the change I made is not the same for both addresses. After setting up a wallet that can complement a phishing contract controlling the execution of a contract, BUSD was thought to have agreed to refer me to a phishing contract.

If you look at phishing contracts, it's no surprise that phishing contracts are crypto contracts. Anyone who has studied Solidity for a while knows how to set up a few admins or members when the contract has had enough.

So, in the future, pay attention to the support of both parties, and do not authorize projects that you do not know! ! !

safety tips

Due to this situation, Xiao C saw some tips and tricks and learned a lot of blood tips.

Here are some ways you can choose according to your needs.

don't give the key

I've seen letters saying a mnemonic creates multiple accounts, but I don't recommend it because it can get stuck in a pot.

Keys are stored offline.

Since there are many registration tools and strategies that store data in the cloud, publishing directly can lead to loss of keys in the event of a cloud leak. My idea was to copy the book to the book as soon as it was created. Of course, you can copy it to the notebook and send it to me before the key. For example, if you change a to 1, b to 2, and 1 to a, you cannot touch the important text, number tools, even if someone sees it.

Separate install and test (airdrop and main account separately)

Install both browsers. One is chrome and the other brave. One is to manage a large portfolio. The other is to get airdrops, engage in various chain functions, etc.

Do not download software from unknown sources

Do not use Baidu to download software from unknown sources.There are situations where you take out a hacked Metamask and lose money.The download should go to the address and, if possible, send it to Google Play. Chrome web store, etc.

Check current agreement

The actual URL is: Dibank is not open source, but it has better UI integration. Return or open location. You can decide for yourself.

https://debank.com/

https://approved.zone/

https://tac.dappstar.io/

https://ethallowance.com/

从一个钱包被盗的案例 探讨Web3的安全指南

As you can see in the photo, it's endless.

Every time you set up a metamask you have to look more at recognition and not recognize the next step without thinking like I am doing now.

Confirm security agreement before approval

https://www.slowmist.com/service-smart-contract-security-audit.html

You can use SlowMist's contract monitoring features.

You can check where the contract is open, and if it's open, you should check if it's an addendum contract, and so on.

Pay special attention to safety during short games and rewards

To get it, use a trumpet and not a big one. You can set quotas when you agree! ! !

Monitor staff relations carefully and beware of strangers talking to you privately on Discord

For example, Discord or Telegram, someone says they've known you for a few days and they want to make money, get airdrops, install some software they send you, and give you access. 99.99% of you will lose everything. . Your account has been stolen.

Especially if you go the NFT route for dispute resolution, someone will tell you they have a free list with a mint link and they will talk privately. The liar changes the avatar and the name to the official name, in fact, he and you are in a group to accomplish this.In fact, these scams are easy to spot if you're not greedy, and you'll usually be asked to cast a few hours and the number is 1-10. Many popular products have a mint whitelist or two. The time limit for this project is 10.

Additionally, there will be scammers who create fake websites that follow the legitimate project website, and scammers who send private messages to people on the project server and ask them to advertise them.

I have friends who bought fake NFTs from OpenC and then found them to be illegal. After a few days, the NFTs disappear from my account? It was cut... (How did you find it? See) Official Channel and Discord sent the official Opensea URL)

There is also a fake collab.land that cheats on wallet passwords, airdrops for Da V, and pretends that Da V is taking the nft/token lead.

It's a brilliant new year, so everyone be safe and I hope everyone reading this is safe and healthy!

btcfans公众号

Scan QR code with WeChat

Link
Disclaimer:

Tags: Web3
Previous: 2022 Digital Universe Metaverse Trends: A Unified View Next: CoinGecko 4D Report: 2021 Global Bankruptcy Research Report

Related